It is possible to insert fork bombs and
other dangerous stuff by taking advantage of this, and that might take down
the whole machine, steal data or delete
data depending on the rights of the user executing the script.

The insecurity might also transfer into other areas in case you are not
using this method for the shell, but for something else.

Please do note that most of these problems can be avoided if you just split the arguments in Ruby when doing system calls, which is
easier to do most of the time.